Re: US Military bans HTML in emails

In article <1167832240.731568.243390@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
"AEF" <spamsink2001@xxxxxxxxx> writes:
Arne Vajhøj wrote:
AEF wrote:
Arne Vajhøj wrote:
David J Dachtera wrote:
Bill Gunshannon wrote:
Not in the real world. Good enough doesn't cut it when someone higher
than you says, "The corporate standard is MS Word."
...until the(ir next) multi-billion-dollar outage due to malware. Then, the
higher-ups face turn-over while the workers bees burn the midnight oil to clean
up the mess.
There were some real bad incidents 3-5 years ago.

No move from Windows then.

Now the MIS departments has tightened security.

You mean like requiring 6-character passwords to now be "complex"?
Yeah, that'll stop 'em!!! ;-)

OK, maybe they're actually doing some more useful things.

More as in:
min 8 characters
min 1 uppercase
min 1 lowercase
min 1 digit
min 1 punctuation

Or as in email scanners that removes all EXE, BAT etc. from attached
ZIP files in inbound email.

Arne
It turns out that you get a lot more bang for the buck by requiring
longer passwords.

Not sure where it is in the approval process but we talked about
allowing entire sentences (paragraphs?) as passwords and eliminating
the need for non-alpha characters.

Complex passwords are not that much harder to crack.

Not if you are in a position to use brute-force. Most computers today
have all the horsepower needed to just try every possible character.
After all, there are less than 128. :-)

Most characters will be lowercase.

Not always. :-)

Puncutation will almost certainly be
limited to periods, hyphens, and commas.

I do not now and have never (up to this point, at least) used any of
those characters.

This greatly reduces the total
number of possible combinations comapred to a random character for each
character. Hackers already know this trick.

The biggest safeguard is not providing a way to use a brute force attack.
Unfortunately, this brings up another whole issue. Use of brute force
to cause a DOS.

If you sit down and calculate it, you'll find that complex passwords
aren't worth the trouble (I'll post some numerical examples later when
I have more time). Some say that users will write down passwords
anyway. (So why lock your door? Burglars will get in anyway!) I say
*more* users will write down complex passwords and they'll hate it a
lot more than adding a few characters to the minimum length.

I have no statistics to back it up, but I don't agree. I think
people who are likely to write down their password are as likely
to do it no matter what the length. Unless you let them use
something that is easily guessed anyway.

You'll
probably also get more help desk calls for complex-password resets.
Here's an article from infoworld (I can't find the original articles
right now, I'll post them later).
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/06/11/10/46OPsecadvise_1.html
I've seen passwords with zeros for O's and 3's for E's. What hacker
could break through this fortress of security? Trying zeros for O's and
3's for E's? What hacker ever think of that?

With your toungue pushed so far into your cheek be careful you don't
bite it. :-)

This is like a mild speed
bump where as increasing the length a few characters is more like huge
mountain. It's like putting your wallet in the toe of your sneaker as
you go into the water at the beach. Yes, it incerases the total
possible number of passwords, but not by much. See the link I provided
for more detail.

Thus the reason for the suggestion above. I hope it gets approved soon.

bill

--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bill@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
.

Relevant Pages

  • Re: US Military bans HTML in emails
    ... Now the MIS departments has tightened security. ... You mean like requiring 6-character passwords to now be "complex"? ... the need for non-alpha characters. ... I assume here that the hacker has somehow obtained a backup tape ...
    (comp.os.vms)
  • Re: US Military bans HTML in emails
    ... Complex passwords are not that much harder to ... Consider a password with a choice of X different characters for each ... takes using all upper- and lowercase letters, ... I can see only two advantages of complex passwords: ...
    (comp.os.vms)
  • Re: US Military bans HTML in emails
    ... You mean like requiring 6-character passwords to now be "complex"? ... the need for non-alpha characters. ... what about all those machines ... I assume here that the hacker has somehow obtained a backup tape ...
    (comp.os.vms)
  • RE: Basic question
    ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
    (Focus-Microsoft)
  • Re: Paper & pencil password algorithm
    ... generator and generate a password as a permutation of a whole ... The advantage of a random sequence generator is that I can make my ... I can't imagine ever wanting passwords ... convenience I'll probably keep most of them between 20 and 50 characters ...
    (sci.crypt)